* iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available
@ 2023-04-16 10:23 Johannes Erwerle
2023-04-16 17:51 ` Bastian Bittorf
0 siblings, 1 reply; 2+ messages in thread
From: Johannes Erwerle @ 2023-04-16 10:23 UTC (permalink / raw)
To: netfilter
Hello!
I have a Zyxel NR7101 5G router. This device has to handle a lot of
sessions and we had events in the past, where the conntrack table was
full, leading to dropping new sessions.
An other issue is, that the device can only handle ~250 new sessions per
second. (At 250 sessions/s one CPU core is completely utilized and it
starts sending pause frames).
Since we don't need any firewalling for the traffic that is only routed
through the device I wanted to disable connection tracking for some
connections to reduce the size of the conntrack table and hopefully
increase the amount of new sessions that the device can handle)
However neither the NOTRACK target nor the --notrack option for the CT
target are available.
Here are a couple of infos regarding the OS/Kernel/iptables version:
root@NR7101:~# uname -a
Linux NR7101 3.10.14 #1 SMP Tue Nov 29 09:49:05 CST 2022 mips
GNU/Linuxroot@NR7101:~# iptables -V
iptables v1.4.16.3
When I am trying to add rules to disable tracking I get the following
errors:
root@NR7101:/# iptables -t raw -A PREROUTING -d 1.2.3.4 -j CT --notrack
iptables v1.4.16.3: unknown option "--notrack"
Try `iptables -h' or 'iptables --help' for more information.
root@NR7101:/# iptables -t raw -A PREROUTING -d 1.2.3.4 -j NOTRACK
iptables v1.4.16.3: Couldn't find target `NOTRACK'
Try `iptables -h' or 'iptables --help' for more information.
Since this is a small embedded device man pages and other nice things
one would expect from a modern linux distribution are usually not available.
From what I found while digging through the change logs, at least one
of the notrack options was available in iptables 1.4.16.3. However the
device does not know them. Might this be a compile-time option and the
feature was simply left out by the manufacturer? Or do I have to load a
kernel module explicitly? Is there any way to get this working?
One workaround for the first issue would be to increase the conntrack
table and hashsize, there is some RAM available, but it is not limitless.
Greetings and thank you very much
Jo
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available
2023-04-16 10:23 iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available Johannes Erwerle
@ 2023-04-16 17:51 ` Bastian Bittorf
0 siblings, 0 replies; 2+ messages in thread
From: Bastian Bittorf @ 2023-04-16 17:51 UTC (permalink / raw)
To: Johannes Erwerle; +Cc: netfilter
On Sun, Apr 16, 2023 at 12:23:14PM +0200, Johannes Erwerle wrote:
> I have a Zyxel NR7101 5G router. This device has to handle a lot of sessions
[...]
Just use OpenWRT - https://openwrt.org/toh/zyxel/nr7101
bye, Bastian
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-16 17:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-16 10:23 iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available Johannes Erwerle
2023-04-16 17:51 ` Bastian Bittorf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox